[openssl-users] How to verify a cert chain using Openssl command line?

David Li dlipubkey at gmail.com
Tue Jun 30 16:13:18 UTC 2015 

Ben,

I think you are right. My verify test is okay now if I match the
subjectAltName to the nameConstraints defined by the subCA.
Thanks.

David


On Mon, Jun 29, 2015 at 6:23 PM, Ben Humpert <ben at an3k.de> wrote:
> Yes, because nameConstraints are inherited.
>
> I don't know exactly where the bug lies but I strongly advise NOT to
> use nameConstraints because while there is a standard nobody has
> implemented full or correctly working support for it. I ran various
> tests some weeks ago and the result was horrible. See
> https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html
> and https://mta.openssl.org/pipermail/openssl-users/2015-May/001388.html
>
> 2015-06-29 23:58 GMT+02:00 David Li <dlipubkey at gmail.com>:
>> The subCA  has nameConstraints in the subCA configuration file:
>>
>> [name_constraints]
>> permitted;DNS.0 = example.com
>>
>> client configuration file has subjectAltName:
>> subjectAltName = DNS: www.cs.com
>>
>> So is this a mismatch? How come s_client/s_server test was okay?
>>
>>
>>
>>
>>
>> On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert <ben at an3k.de> wrote:
>>> Do you use nameConstraints or have specified IP in subjectAltName?
>>> Because OpenSSL can't handle that correctly.
>>>
>>> 2015-06-29 22:51 GMT+02:00 David Li <dlipubkey at gmail.com>:
>>>> Hi,
>>>>
>>>> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
>>>> a client cert (signed by the subCA). Now I want to use verify,
>>>> s_client and s_server to test them together.
>>>>
>>>> However I searched and tried a number of times but still unsure about
>>>> the correct syntax format in verify command. This is what I did:
>>>>
>>>> cat rootCA.crt subCA.crt > caChain.crt
>>>>
>>>> openssl -verbose -verify -CAflie caChain.crt clientCert.crt
>>>>
>>>> openssl verify -CAfile caChain.crt client/clientCert.crt
>>>> client/clientCert.crt: C = US, ST = California, O = David's company,
>>>> CN = David's client cert, emailAddress = david.li at example.com
>>>> error 47 at 0 depth lookup:permitted subtree violation
>>>>
>>>>
>>>> However it seems my s_client and s_server test is OK:
>>>>
>>>> I created a caChain by cancatenating rootCA and subCA together:
>>>>
>>>> Server:
>>>> openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3
>>>>
>>>> where serverComb.crt = cat of serverCert and server key
>>>>
>>>> Client:
>>>> openssl s_client -CAfile caChina.crt -cert client/clientComb.crt
>>>>
>>>> where clientComb is  = cat of clientCert and clientKey
>>>>
>>>>
>>>> Anyone has any idea why verify command failed?
>>>>
>>>> Thanks.
>>>> _______________________________________________
>>>> openssl-users mailing list
>>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>> _______________________________________________
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list